Here’s my new look! As I announced in the Oct. 30 issue of the LangaList,
I’m merging with the Windows Secrets Newsletter to bring you even better
content. The combined newsletter will reach more than a quarter million
subscribers. And it gives me access to features that my newsletter didn’t
previously have.

I have important news for everyone who uses Windows. The LangaList — a respected e-mail newsletter that’s uncovered the tips and tricks
of Microsoft’s operating system for nine years — is merging with the
Windows Secrets Newsletter.

The "squeaky wheel gets the grease" seems to be Microsoft’s motto
lately, as
several patches for Internet Explorer (and components used IE) were released
out-of-cycle last month and on this
week’s Patch Tuesday.

Meanwhile, flaws in IE that are equally severe — but were getting less media
attention — were left unpatched.

Microsoft’s new browser, Internet Explorer version 7.0, will ship sometime
soon with updated features and better security — so of course our contributing
editor Woody Leonhard explained on
Sept. 14 how to
prevent version 7 from automatically downloading to your PC.

It’s not that there’s anything wrong with IE 7, mind you. Woody just thinks
other people, not you, should be the first to get bitten any point-oh bugs.

I’m flattered when folks say they don’t patch their systems until they read
my column, but this
month I’d rather you read Chris Mosby’s column first.

With all the unpatched issues that arise with IE,
it’s not enough to be “fully patched” with Microsoft’s latest fix (MS06-055), you also need
to install workarounds when you hear of them. Fixing recent Microsoft patches —
for example, the two-week-old MS06-049 — is also essential, as I describe below.

It didn’t take long before IE was back in my sights, and as usual the flaws that have come up are serious.

I’m rather tired of Microsoft acting like newfound flaws in IE are no big deal, no matter how
critical the holes may be. I wish the company
would quickly admit the problem, take responsibility, and just fix it.

If you’re a frequent reader of my column, then you know that I usually have
a lot to say about the security of Microsoft’s Web browser, Internet Explorer. This time, my focus will
include Mozilla’s
Firefox.

Even though I still consider Firefox to be a much safer
browser than IE, I wouldn’t be doing my job if I just ignored
flaws that affect the Mozilla browser and didn’t report them.

Our newsletter and Web site will sport a new logo, shown above,
beginning with our next regular issue on Sept. 14.

We wanted to surprise you, but we figured we’d better give you some warning. We didn’t
want you to open your e-mail next month and think unknown people were sending you some
new, weird newsletter. Nope, it’s just the same old weird
newsletter.

Readers have asked me, “How quickly is my computer protected after Patch
Tuesday, if I have auto-updates turned on?”

The question arises because most of the patches that Microsoft posted on
Aug. 8 took a lot longer than
usual to download. It appears that Windows Update, when configured to
download and install patches automatically, didn’t start downloading most
patches until three days after Patch Tuesday. Some PCs didn’t auto-install all
of the security patches until nine days had passed.

A sweeping review of 10 security suites published in a major computer magazine
last month featured some very unlikely rankings for this crucial category of products.
After examining the evidence, I’ve found that some material facts were omitted from
the article, rendering its ratings useless.

As though we didn’t have enough to worry about with viruses and worms, my
readers are reporting all kinds of trouble with the IE7 beta, Windows Update,
and Microsoft’s little-known dumprep.exe program.

I’ll show you how to get over these and other software gotchas in the tips
below.

The shock waves caused Microsoft’s decision to quietly install Windows Genuine
Advantage through its security update mechanism are still being felt my
readers.

The marketplace for non-Microsoft antivirus packages, security suites, and the
like is
crowded with well-known competitors. contrast, the field of Windows Update alternatives is new and
the players are little-known. Until more reviews have been published major
test labs, I’ll keep bringing you my findings and the comments of Windows users
who are doing their own analyses.

In my last issue, I reported that Microsoft’s in-house Windows Update routine
is now likely to download marketing gimmicks such as Windows Genuine Advantage to your
PC. I advised all Windows users, other than novices, to turn off Automatic
Updates.

I can’t remember a time when the newsletter has received more heartfelt tips
from readers than the controversy of the last two months over Microsoft’s
automatic downloading of Windows Genuine Advantage, which phoned home every 24
hours.

More than 300 well-thought-out comments streamed in. We’ll never be able to respond in full to everyone individually, but we hope
this section will serve to recognize everyone’s help while giving you the useful info you need.

Portions of the security community have been abuzz lately with talk of a
new rootkit technology dubbed “Blue Pill.”

The name is an obvious Matrix reference, especially given that the same
researcher named an earlier rootkit detector that she wrote “Red Pill.” The
latest buzz started with an
eWeek article
on her work.

When Microsoft first announced Windows Live OneCare, I figured
Redmond had a lot of cojones to charge consumers for protection against
flaws in its own products.

In OneCare’s first month, however, it appears to my jaundiced eye that MS has responded
admirably
to two real, in-the-wild, zero-day attacks — first in Word, then in Excel — via a little-knownfree service called the Windows Live
Safety Center. Never heard of it? Read on.

The last few weeks haven’t been good
for Microsoft Excel. Three serious vulnerabilities affecting the popular
spreadsheet program have been revealed. Two of these are already being actively exploited in the
wild.

This is a serious concern, as
there currently isn’t a patch for any of the three holes. But I’ll arm you with
workarounds that should keep
hackers from storming your computer.

Windows Genuine Advantage — the controversial program Microsoft
auto-installed as a "critical security update" on many PCs starting on Apr. 25 —
not only causes problems for many users but has now been proven to send
personally identifiable information back to Redmond every 24 hours.

This behavior clearly fits any plausible definition of "spyware." Some tech
writers have said categorizing WGA as spyware is arguable. But I have no
hesitation in calling the program a security nightmare that Microsoft should
never have distributed in its present form.

Windows Vista Beta 2 may be the most-downloaded program in history — but
heaven help ya if you use it for real work.

Bugs and lock-ups come with the territory

—
it’s beta software, after all, and you’d be crazy to run Vista Beta 2 on a
production machine. (Or go crazy trying.) Having spent months struggling with
various incarnations of the Vista beast, I’m worried about something more
fundamental than bugs. More insidious. One Vista feature, User Account Control,
just keeps getting in the way.

With the large number of Microsoft patches this week, I don’t want you to forget about
the third-party programs that you and probably all of your users have. These
apps need
updates too, and there are some security updates that need to be installed.

I’ve also taken note of what I think is a novel "attack" based on USB
Flash
drives. I thought I was too smart to fall for this one, but I was wrong.

If you’re like me and the other
writers of this newsletter, you were probably overwhelmed the number of
patches Microsoft released on Patch Tuesday.
Microsoft released yet another cumulative rollup for IE, which fixed eight open holes
— but once
again, there are plenty left open to talk about.

I wrote about the last IE patch in my
Apr. 13th
column. Comparing that column to what was patched in Tuesday’s release shows
that only 1 out of the 3 flaws I talked about then have been patched in the latest
IE rollup.

After our battle scars from the April
patches, Microsoft’s May patches were a bit of a breather for consumers.

While the Exchange patch meant homework for administrators, home users at least
had a break after the “double patch” bout we had in April. But
lest you think everything is rosy on the other side of the operating
system, even Apple folks had to deal with their share of patch pain this month.

It used to be
that the term “zero-day”
exploit was just a concept that companies like Microsoft treated as a myth. The
idea of a vulnerability being found in one of their products and the exploit for that vulnerability coming out at the same time is something that no one wanted
to believe could happen.

Now, however, zero-day exploits do happen — but only sporadically. When
these exploits do surface, it’s a cause for concern for everyone. There is
usually no defense against them until they can be understood and patches or
workarounds can be made available. Such is the case with the Word zero-day
vulnerability that was discovered recently.

For years I’ve been advising Windows consumers to disable Automatic Updates:
Keep Microsoft’s mitts off your machine until you’re darn sure the
proffered patches do more good than harm.

I’ve taken a lot of flak for that heretical stance, vilified for intimating that
Microsoft’s patching process leaves consumers in the lurch. Bah. Recent events
have proved my point conclusively: Windows auto-update is for chumps.

That’s the way it seems to go these
days: Microsoft — or any software vendor for that matter — patches a piece of
software, and someone goes and finds some other flaw that can be
exploited. I guess that’s become the price we all have to pay for
working with technology; we all have to try to be one step ahead of the hackers
out there.

While Microsoft is no means perfect in the area of security, it is at
least trying to do better. This has become clear to me after attending the
Microsoft Management
Summit a few weeks ago — at the same time as I’ve just start scratching the surface in my
role as a newly awarded MVP. Don’t think you can get rid of me anytime soon, though; there are still
plenty of unpatched vulnerabilities out there to tell you about.

Last month was rough for home patchers — and this month isn’t looking much
better.

It seems like only a few days ago we were dealing with issues with Outlook
Express and Windows Shell. Here we are this month with another patch that so far
looks a bit tricky to get on our boxes, especially for home users without a patch-management adminstrator.

Microsoft re-released on Apr. 25 a security patch that had been issued 14
days earlier in the company’s monthly Patch Tuesday schedule.

The original version of security bulletin MS06-015 causes problems with Microsoft
Office and other apps when you try to open or save files in the My Documents
folder; with Internet Explorer when you type Web addresses into the Address Bar;
and with an untold number of other programs.

The Redmond company says the problems are being caused older versions of HP
Share-to-Web software, nVidia graphics drivers, and Kerio Personal Firewall. But
I believe there may be other conflicts at work, as I discuss below.

Here I was, looking for fallout from Microsoft’s Eolas/Internet Explorer patch
— but most of the issues came instead from other patches.

Just like everyone else, I was expecting most of the problems from Patch Tuesday
would be from 06-013. This is the cumulative Internet Explorer patch, which
changes the way Active X works. I wasn’t expecting to see issues in the Window
Shell patch, the Outlook Express patch, nor in OE’s Junk Mail Filter. These
issues, because they mostly affect consumers, have raised a concern about online
communities and self-help sites. I think they’re masking the real magnitude of
issues.

I don’t gush over new software very often. Most of what I see looks like
same-old, same-old, maybe with a burnished bell here or a twisted whistle there.

But I recently found something new — something exciting — on the Web, and it’s
saved my tail a couple of times. If you haven’t seen SiteAdvisor, you should
look. If you don’t use SiteAdvisor, you should try.

For as long as people have been finding security vulnerabilities, software
vendors have been trying to "slipstream" security fixes. What’s surprised me in
the past few weeks is that a couple of big vendors have admitted to it and are
trying to justify the practice.

As you’ve seen in the top story in this issue, the patches Microsoft
released via its regular Patch Tuesday schedule on April 11 caused serious grief
for many people. Unfortunately, I believe there are still other software conflicts
that Microsoft hasn’t yet confirmed.

I’ve seen reports of problems with AOL, the Windows version of iTunes, and other
popular software — all related somehow to the April 11 patches.

I described in the
Mar. 30
newsletter how to use "disposable" e-mail addresses. These are
unique addresses that you give to Web sites and other
people who want to send you mail. If they happen to reveal your address to spammers,
you simply turn off that one address rather than trying to filter out a wave
of spam.

My readers, it turns out, have a lot of ideas about using disposable addresses.
Follow along with me as we hear about some great tricks, many of which cost little
or nothing.

It’s amazing how Microsoft finds ways to get us to spend a little extra time
with Windows now and then. If it isn’t a patch we have to install, it’s a
workaround for the change to daylight savings time.

Susan Bradley provided some good tips on dealing with DST pains-in-the-butt in her
Mar. 30, 2006,
column.

Apparently, that wasn’t the end of it. Follow along as my readers provide tips
on this and other topics from the last issue.

Microsoft did a pretty good job of patching
some serious security holes in Internet Explorer with the release of

MS06-013 on Patch Tuesday. (See Susan’s Patch Watch column,
below.) It’s been a while since I’ve seen that many security fixes in an IE patch.
If it weren’t for the file size, I’d almost think this was a service pack.

While Microsoft eliminated some serious holes this
month, the job is far from done. There are several older IE holes that are yet
to be taken care of.

The Pacific Coast has been showered on
this week and now we’re being showered with security patches.

While the total number of security patches is not that large, it’s still a bit
of a downpour. This
month’s patch release includes not only a cumulative Internet Explorer patch,
but a change in browser behavior due to a patent dispute.

You’re a savvy Windows XP insider. You already know that you can pin programs
on the Start menu. Cool. Hanging your most-used programs on Start makes
it easy to get them cranked up, even when you’re bleary-eyed and blue-toothed,
and your mouse has a mind of its own.

But did you know that you can also pin folders, files, documents —
even Web pages — to the Start menu? Check out these tricks to
make the most of that prime piece of real estate.

I’ve been thinking a lot this week about virtual machine technology. I
have to admit it’s because of the Mac. As you’re no doubt aware, the new Apple
Macs have Intel x86-family processors. This makes them, just about any
measure, PCs.

It’s not just the CPU, but also the chipset. Apple is using an Intel
chipset, like almost every motherboard vendor who makes Intel-compatible motherboards. That’s not to take any style points away from Apple;
they still win big in that area. It’s not like Apple is shipping putty-colored
plain boxes all of a sudden.

Every time you give out your e-mail address, you take a risk that your address will
get on spammers’ lists and you’ll be bombarded with junk mail.

As a test (which I’ll describe in my
Datamation column in a few weeks), I entered an e-mail address into a signup box at one of
those “get a free laptop” promotional sites. In less than six weeks, the address
I provided was hit with more than 1,000 junk messages — over 23 per day — and they
show no sign of slowing down.

Are you an Internet Explorer user? that I mean, do you use it for your
daily Web browsing? I like Internet Explorer, I think it’s a very capable
browser. But, as you are probably aware, there seem to be some safety issues.
What do you do when there’s blood on the information superhighway?

Alright, I’ll stop with the car analogies. But I do want to discuss what
to do, now that it looks like we’re in for a long road of unpatched IE
vulnerabilities. This last week, two unpatched IE vulnerabilities were published.
And at least one of them has been proven to be highly exploitable.

This month has been pretty rough on the people at the Microsoft
Security Response Center (MSRC). There’ve been three new vulnerabilities
discovered for my favorite insecure browser — Internet Explorer —
in just the last two weeks.

Of those three vulnerabilities, one will cause IE to crash at worst. But the others
are severe enough to allow infected code to run that could very well take over
your computer. Here we go again. The race for a patch begins.

Normally before there’s a patch, we don’t get quite the advance notice that we did this time. An Internet Explorer
upgrade is coming that can impact your
Web-based applications. You need to know now how this may affect you, well before Microsoft
releases the patch on Apr. 11.

Why is this patch different? Because it’s not a security patch — it’s a
reaction to a patent lawsuit.

Does Office think your name is “Satisfied Dell Customer”? When you install
new programs, do they want to send a confirmation e-mail to “OEM User”?

Or — raise your hand if this sounds familiar — when you first installed
Windows, did you misspell your own name? Hey, it’s happened to me. More than
once. If you’ve ever wanted to turn back the clock and tell Windows or Office
that the name or organization permanently emblazoned in your PC’s memory is all
wet, this secret’s for you.

I’ve spent most of the past
three weeks slogging through the “February
Community Technology Preview” of the next version of Windows — Vista Build
5308, to the tech-savvy.

For the first time in a very, very long time, I’m excited about a new product
from Microsoft. Vista holds tremendous promise. Whether the final product will
live up to the promise, though, is anyone’s guess.

If you’re responsible for more computers
than you can personally lay hands
on in a short period of time, then you probably have a patching
process that includes some kind of cost/benefit analysis. This doesn’t
necessarily require a spreadsheet with salaries and downtime costs.
It can be as simple as answering the question, “How much trouble am I in if I crash
the server in the middle of the day?”

The answer to that last question is probably, “I guess I’ll be staying late,
and applying the patches after everyone goes home.

That’s a perfectly acceptable strategy — if you can get all the
machines done manually in a reasonable amount of time. But it doesn’t scale well
at all.

I’d like to present some tips that I’ve learned to make your life
easier when dealing with patches and updates. Most of these tips come from my
co-moderation of the patchmanagement.org
mailing lists, and my job at BigFix, a company that sells a patch-management product.

We all know that using a computer is a dangerous business these days. Design flaws and vulnerabilities can come from anywhere, from any server, all the way down to the client accessing it — and everywhere in-between.

The best we can do these days is to be aware of what is out there, protect your
computer as best you can, and practice safe computing practices. The only thing
else you can do is hope that a hacker doesn’t think you’re a tempting target.

The bulletins came to my inbox. Two patches. One for Office, one for DACLs.
(What’s a DACL?) But that isn’t all. Microsoft Update has a few more patches it wants me to
install.

In addition to the ever-present Windows Malicious Software Removal Tool for
March (KB
890830),
and the monthly update for the Outlook 2003 Junk E-Mail
Filter (KB
913161), we have a few other patches in Microsoft Update’s “high
priority patches” list. It reminds me that it’s not just security patches
that are up there in the top section.

A raging controversy over whether Windows patches ever reboot a PC without
permission has been solved. Reboots can happen when you’re not expecting
it — but you can minimize the problem or eliminate it entirely.

This subject sparked a debate when reader Evan Katz wrote in to ask whether
Microsoft patches had started rebooting Windows automatically, even when the
Automatic Updates control panel is configured to notify the user of downloads
instead of installing them without notice. His comments were printed in the paid
version of our Dec. 15, 2005,
newsletter.

With the patch issues that arose last week, and folks asking if Microsoft
tests patches before releasing them, it reminds us that Redmond still has a
long way to go in the trust department.

But Redmond wasn’t the only one with vulnerability and software issues this time
around. Apple has joined in the browser vulnerability battle with its Safari browser this
week. Sophos didn’t help much with its software giving off false positives.
It’s been more of a battle to clean up after our security tools than it was to
deal with patching issues this month.

I’ve seen (and reviewed) enough Windows XP utilities to bust a billion
bottomless bit buckets. The world’s full of ’em.

But when a good friend recently asked, “What utilities do you really
use, Woody?”, I had to stop for a while and think. You see, truth be told,
I keep very few utilities on my main machine. Too much
headache. Too little benefit. Hard to keep them all straight.

Our tests of antispam appliances in the
Jan. 26 newsletter made a definite impression on our readers. The article received
a reader rating of 4.15
out of a possible 5,
our highest-rated article so far (well, in all two of the issues that’ve
supported reader
ratings to date). And several subscribers
sent us their own results from testing the least-expensive appliance in our
review: the Deep Six Technologies DS200 Spamwall, which we found to be highly effective.

The date on the calendar as Microsoft’s patches came out this week said St. Valentine’s
Day, the day for love and romance. But if you’re a patchaholic like me, a guy
who offered to patch my computers for me would be even more romantic than roses
and chocolate.

Especially in a week like this, when he’d have to use some extra manual labor
to get my machines fully patched.

Windows XP’s System Restore can save your bacon. But it wallows in disk space
like a hog.

If you understand the secrets of System Restore, you can save yourself untold
headaches when things inevitably go bump in the night. And you can reclaim a few
zillion megabytes of pure Windows pork while you’re at it.

Have you thought much about how and when your software providers release their
patches? Are patches provided in a convenient format for centralized updates? Do
patches take years, months, or only weeks to deliver? If you’re paying attention,
this will help your security stance in the future.

A simple device that prevents spammers from delivering junk to your mail server
outperforms complex spam filtering appliances costing up to seven times as much,
according to tests the Windows Secrets Newsletter.

If your company is suffering from onslaughts of spam, our tests indicate that this new approach
can halt more than 99% of your unwanted flow without blocking legitimate e-mail. Best of all,
the new technology does this without creating a large “quarantine” of suspected spam that you or
your employees must manually comb through.

There’s been a lot of talk about the Windows Wi-Fi “flaw” that was revealed recently.

Some security professionals call it a high-risk vulnerability. Meanwhile, Microsoft
and other security professionals call it a feature — one that can only be exploited under
the right circumstances. Let’s take a closer look, so you can be the judge.

You are at risk. No, seriously. Every time you turn on any kind of
technology, you turn on risk.

The question for today is this: Exactly how do you know what risk you are taking when
you use that technology? Some argue that “old code” is secure code, under the
assumption that the older the code, the more “eyes” have
reviewed it. But is that true? Let’s revisit the Windows Metafile issue with
this in mind, shall we?

Those 8-megapixel cameras take great pictures, don’t they? Faaaaaaat. In
more ways than one.

The top complaint I’ve heard since the holidays has nothing to do with
rootkits, WMF files, or patches of patches. Nope. The people I know who scream
the loudest got expensive new cameras, and they’ve learned that they can’t do
much with their pictures.

How quickly do your vendors release patches? If they take 15 years, does that
mean the problem was an intentional backdoor?

There are, to be sure, some still-outstanding questions regarding how the now-infamous Windows
Metafile flaw affects the Windown 9x/Me platform (as discussed my fellow columnist, Susan).
One bit of controversy that arose over this problem since our last newsletter deserves
clarification here.

What a way to start the year! The now-well-known WMF vulnerability, which allows an infected
image to silently take over your PC, was first publicized just before New Year’s
Eve. It resulted in a frantic week for Microsoft and millions of Windows
users who wanted to protect themselves.

I considered the risk of infection from hacked Windows metafiles (.wmf
files) to be so dire that I published an unprecedentedtwo news updates in the same week. (In the past 12 months, I’d felt the need to
release only 5 news updates.)

The ball dropped in New York, ushering in the New Year. But we network admins
were scrambling because of a zero-day
exploit for which no patch was available, other than hoping our antivirus
vendors would catch it.

Little did we know at that time that the ‘bug’ was perhaps a wakeup call for us
to have
better procedures to handle a zero-day event in the future (as InfoWorld’s Roger
Grimes

If your holiday season was anything like mine, you probably received a fair amount of
software, either off the shelf, or bundled with a new PC. Seems that CDs have replaced
silk ties as the gift of choice when trying to buy for someone who has
everything.

But CDs and DVDs today can hold dangers that you should avoid. Let’s look at how
one simple change can make you immune to those headaches.

When there’s blood in the water, don’t go swimming. I hope you didn’t think we were all done with our WMF problems.

I’m not going to go over all the details of the WMF vulnerability and patch here.
My fellow columnists have that well covered. I do wish to point out that it’s
an important example of what the patch lifecycle now looks like for a special
case.

Microsoft released on Jan. 5 an emergency patch, named MS06-001, which corrects
Windows’ so-called WMF (Windows metafile) vulnerability. A WMF exploit can silently infect
a PC when it merely displays an image in any browser, instant
messaging, P2P, e-mail, or in a directory listing in Windows Explorer; when
desktop-search applications index an infected image file; and in other ways.

I published a special
news update earlier
in the week urging readers to install an unofficial patch for this problem. This
workaround was also strongly recommended F-Secure, the SANS Institute’s Internet Storm
Center (ISC), and several other security sites.

A weakness in the way Windows renders images is being
exploited on the Internet and affects any browser you may be using, not just
Internet Explorer.

Microsoft has no patch for the problem at this writing. An official patch may
appear at any time, or it may take days or weeks. I recommend that you
immediately run a small,
unofficial patch that was developed white-hat security researchers to make
your PCs immune to the problem.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.